edb381a70edeb245df838ded22a529759e8dc209e576e7b11233e40d2bc2c425

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84462ae43bc221b2bc18973405e629d0_exe32.exe
Size

208KB
MD5

84462ae43bc221b2bc18973405e629d0
SHA1

3280764840c2098713fe0f5492c66eb7c3482ea5
SHA256

edb381a70edeb245df838ded22a529759e8dc209e576e7b11233e40d2bc2c425
SHA512

d27a5c25a255865dbf828400f47f839c12d7049f38b11a6d8e2f382a8f51adc18dbbca380cf298eaa9a81f35f82dccdfa060219c477612474d1f4b0eca78492f
SSDEEP

3072:T2j7XPIwYdbJGG/qsvZtQsFAg9eOt9XMQQ++4EG29tj04SYT4NLthEjQT6j:T2jDibJVoVZcM7NLTQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	BJFQF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	DMQAQO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WPU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	ZATPR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	84462ae43bc221b2bc18973405e629d0_exe32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	HIKF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	MRZQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	DYWUB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	IFYVP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	RWXID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	NCMMUQM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	KOIRGPL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	DBM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	ZXDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WWNB.exe

Executes dropped EXE 15 IoCs

pid	Process
1704	IFYVP.exe
1168	HIKF.exe
1748	DBM.exe
4748	RWXID.exe
5088	DMQAQO.exe
4316	WPU.exe
3708	ZXDB.exe
3804	ZATPR.exe
3548	WWNB.exe
3856	KOIRGPL.exe
1824	NCMMUQM.exe
2004	MRZQ.exe
1776	DYWUB.exe
4528	BJFQF.exe
4092	QXDDOI.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\BJFQF.exe.bat	DYWUB.exe
File created	C:\windows\SysWOW64\QXDDOI.exe	BJFQF.exe
File created	C:\windows\SysWOW64\QXDDOI.exe.bat	BJFQF.exe
File created	C:\windows\SysWOW64\HIKF.exe.bat	IFYVP.exe
File created	C:\windows\SysWOW64\WWNB.exe.bat	ZATPR.exe
File created	C:\windows\SysWOW64\BJFQF.exe	DYWUB.exe
File opened for modification	C:\windows\SysWOW64\QXDDOI.exe	BJFQF.exe
File opened for modification	C:\windows\SysWOW64\RWXID.exe	DBM.exe
File created	C:\windows\SysWOW64\WPU.exe.bat	DMQAQO.exe
File created	C:\windows\SysWOW64\MRZQ.exe	NCMMUQM.exe
File created	C:\windows\SysWOW64\WWNB.exe	ZATPR.exe
File opened for modification	C:\windows\SysWOW64\WWNB.exe	ZATPR.exe
File opened for modification	C:\windows\SysWOW64\BJFQF.exe	DYWUB.exe
File created	C:\windows\SysWOW64\HIKF.exe	IFYVP.exe
File created	C:\windows\SysWOW64\RWXID.exe	DBM.exe
File opened for modification	C:\windows\SysWOW64\WPU.exe	DMQAQO.exe
File opened for modification	C:\windows\SysWOW64\MRZQ.exe	NCMMUQM.exe
File created	C:\windows\SysWOW64\MRZQ.exe.bat	NCMMUQM.exe
File opened for modification	C:\windows\SysWOW64\HIKF.exe	IFYVP.exe
File created	C:\windows\SysWOW64\RWXID.exe.bat	DBM.exe
File created	C:\windows\SysWOW64\WPU.exe	DMQAQO.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\windows\system\IFYVP.exe.bat	84462ae43bc221b2bc18973405e629d0_exe32.exe
File created	C:\windows\system\DBM.exe	HIKF.exe
File opened for modification	C:\windows\system\DBM.exe	HIKF.exe
File created	C:\windows\system\DMQAQO.exe	RWXID.exe
File opened for modification	C:\windows\system\DMQAQO.exe	RWXID.exe
File created	C:\windows\system\ZXDB.exe	WPU.exe
File created	C:\windows\NCMMUQM.exe.bat	KOIRGPL.exe
File created	C:\windows\system\DYWUB.exe	MRZQ.exe
File opened for modification	C:\windows\system\IFYVP.exe	84462ae43bc221b2bc18973405e629d0_exe32.exe
File created	C:\windows\ZATPR.exe	ZXDB.exe
File created	C:\windows\system\KOIRGPL.exe.bat	WWNB.exe
File opened for modification	C:\windows\NCMMUQM.exe	KOIRGPL.exe
File created	C:\windows\system\DYWUB.exe.bat	MRZQ.exe
File created	C:\windows\system\IFYVP.exe	84462ae43bc221b2bc18973405e629d0_exe32.exe
File created	C:\windows\system\DBM.exe.bat	HIKF.exe
File opened for modification	C:\windows\ZATPR.exe	ZXDB.exe
File created	C:\windows\ZATPR.exe.bat	ZXDB.exe
File created	C:\windows\system\KOIRGPL.exe	WWNB.exe
File opened for modification	C:\windows\system\KOIRGPL.exe	WWNB.exe
File created	C:\windows\NCMMUQM.exe	KOIRGPL.exe
File created	C:\windows\system\DMQAQO.exe.bat	RWXID.exe
File opened for modification	C:\windows\system\ZXDB.exe	WPU.exe
File created	C:\windows\system\ZXDB.exe.bat	WPU.exe
File opened for modification	C:\windows\system\DYWUB.exe	MRZQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
3548	1900	WerFault.exe	81
2364	1704	WerFault.exe	87
1140	1168	WerFault.exe	92
4552	1748	WerFault.exe	98
4708	4748	WerFault.exe	103
4328	5088	WerFault.exe	108
3620	4316	WerFault.exe	115
4808	3708	WerFault.exe	120
3488	3804	WerFault.exe	127
4740	3548	WerFault.exe	132
4828	3856	WerFault.exe	137
628	1824	WerFault.exe	143
4820	2004	WerFault.exe	148
2688	1776	WerFault.exe	153
1604	4528	WerFault.exe	159
1356	4092	WerFault.exe	165

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1900	84462ae43bc221b2bc18973405e629d0_exe32.exe
1900	84462ae43bc221b2bc18973405e629d0_exe32.exe
1704	IFYVP.exe
1704	IFYVP.exe
1168	HIKF.exe
1168	HIKF.exe
1748	DBM.exe
1748	DBM.exe
4748	RWXID.exe
4748	RWXID.exe
5088	DMQAQO.exe
5088	DMQAQO.exe
4316	WPU.exe
4316	WPU.exe
3708	ZXDB.exe
3708	ZXDB.exe
3804	ZATPR.exe
3804	ZATPR.exe
3548	WWNB.exe
3548	WWNB.exe
3856	KOIRGPL.exe
3856	KOIRGPL.exe
1824	NCMMUQM.exe
1824	NCMMUQM.exe
2004	MRZQ.exe
2004	MRZQ.exe
1776	DYWUB.exe
1776	DYWUB.exe
4528	BJFQF.exe
4528	BJFQF.exe
4092	QXDDOI.exe
4092	QXDDOI.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1900	84462ae43bc221b2bc18973405e629d0_exe32.exe
1900	84462ae43bc221b2bc18973405e629d0_exe32.exe
1704	IFYVP.exe
1704	IFYVP.exe
1168	HIKF.exe
1168	HIKF.exe
1748	DBM.exe
1748	DBM.exe
4748	RWXID.exe
4748	RWXID.exe
5088	DMQAQO.exe
5088	DMQAQO.exe
4316	WPU.exe
4316	WPU.exe
3708	ZXDB.exe
3708	ZXDB.exe
3804	ZATPR.exe
3804	ZATPR.exe
3548	WWNB.exe
3548	WWNB.exe
3856	KOIRGPL.exe
3856	KOIRGPL.exe
1824	NCMMUQM.exe
1824	NCMMUQM.exe
2004	MRZQ.exe
2004	MRZQ.exe
1776	DYWUB.exe
1776	DYWUB.exe
4528	BJFQF.exe
4528	BJFQF.exe
4092	QXDDOI.exe
4092	QXDDOI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 3740	1900	84462ae43bc221b2bc18973405e629d0_exe32.exe	83
PID 1900 wrote to memory of 3740	1900	84462ae43bc221b2bc18973405e629d0_exe32.exe	83
PID 1900 wrote to memory of 3740	1900	84462ae43bc221b2bc18973405e629d0_exe32.exe	83
PID 3740 wrote to memory of 1704	3740	cmd.exe	87
PID 3740 wrote to memory of 1704	3740	cmd.exe	87
PID 3740 wrote to memory of 1704	3740	cmd.exe	87
PID 1704 wrote to memory of 3816	1704	IFYVP.exe	89
PID 1704 wrote to memory of 3816	1704	IFYVP.exe	89
PID 1704 wrote to memory of 3816	1704	IFYVP.exe	89
PID 3816 wrote to memory of 1168	3816	cmd.exe	92
PID 3816 wrote to memory of 1168	3816	cmd.exe	92
PID 3816 wrote to memory of 1168	3816	cmd.exe	92
PID 1168 wrote to memory of 4356	1168	HIKF.exe	94
PID 1168 wrote to memory of 4356	1168	HIKF.exe	94
PID 1168 wrote to memory of 4356	1168	HIKF.exe	94
PID 4356 wrote to memory of 1748	4356	cmd.exe	98
PID 4356 wrote to memory of 1748	4356	cmd.exe	98
PID 4356 wrote to memory of 1748	4356	cmd.exe	98
PID 1748 wrote to memory of 4764	1748	DBM.exe	99
PID 1748 wrote to memory of 4764	1748	DBM.exe	99
PID 1748 wrote to memory of 4764	1748	DBM.exe	99
PID 4764 wrote to memory of 4748	4764	cmd.exe	103
PID 4764 wrote to memory of 4748	4764	cmd.exe	103
PID 4764 wrote to memory of 4748	4764	cmd.exe	103
PID 4748 wrote to memory of 4376	4748	RWXID.exe	104
PID 4748 wrote to memory of 4376	4748	RWXID.exe	104
PID 4748 wrote to memory of 4376	4748	RWXID.exe	104
PID 4376 wrote to memory of 5088	4376	cmd.exe	108
PID 4376 wrote to memory of 5088	4376	cmd.exe	108
PID 4376 wrote to memory of 5088	4376	cmd.exe	108
PID 5088 wrote to memory of 4396	5088	DMQAQO.exe	111
PID 5088 wrote to memory of 4396	5088	DMQAQO.exe	111
PID 5088 wrote to memory of 4396	5088	DMQAQO.exe	111
PID 4396 wrote to memory of 4316	4396	cmd.exe	115
PID 4396 wrote to memory of 4316	4396	cmd.exe	115
PID 4396 wrote to memory of 4316	4396	cmd.exe	115
PID 4316 wrote to memory of 2688	4316	WPU.exe	116
PID 4316 wrote to memory of 2688	4316	WPU.exe	116
PID 4316 wrote to memory of 2688	4316	WPU.exe	116
PID 2688 wrote to memory of 3708	2688	cmd.exe	120
PID 2688 wrote to memory of 3708	2688	cmd.exe	120
PID 2688 wrote to memory of 3708	2688	cmd.exe	120
PID 3708 wrote to memory of 3912	3708	ZXDB.exe	123
PID 3708 wrote to memory of 3912	3708	ZXDB.exe	123
PID 3708 wrote to memory of 3912	3708	ZXDB.exe	123
PID 3912 wrote to memory of 3804	3912	cmd.exe	127
PID 3912 wrote to memory of 3804	3912	cmd.exe	127
PID 3912 wrote to memory of 3804	3912	cmd.exe	127
PID 3804 wrote to memory of 2596	3804	ZATPR.exe	129
PID 3804 wrote to memory of 2596	3804	ZATPR.exe	129
PID 3804 wrote to memory of 2596	3804	ZATPR.exe	129
PID 2596 wrote to memory of 3548	2596	cmd.exe	132
PID 2596 wrote to memory of 3548	2596	cmd.exe	132
PID 2596 wrote to memory of 3548	2596	cmd.exe	132
PID 3548 wrote to memory of 460	3548	WWNB.exe	133
PID 3548 wrote to memory of 460	3548	WWNB.exe	133
PID 3548 wrote to memory of 460	3548	WWNB.exe	133
PID 460 wrote to memory of 3856	460	cmd.exe	137
PID 460 wrote to memory of 3856	460	cmd.exe	137
PID 460 wrote to memory of 3856	460	cmd.exe	137
PID 3856 wrote to memory of 2232	3856	KOIRGPL.exe	138
PID 3856 wrote to memory of 2232	3856	KOIRGPL.exe	138
PID 3856 wrote to memory of 2232	3856	KOIRGPL.exe	138
PID 2232 wrote to memory of 1824	2232	cmd.exe	143

C:\Users\Admin\AppData\Local\Temp\84462ae43bc221b2bc18973405e629d0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\84462ae43bc221b2bc18973405e629d0_exe32.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\IFYVP.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\windows\system\IFYVP.exe
    C:\windows\system\IFYVP.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HIKF.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\windows\SysWOW64\HIKF.exe
        
        C:\windows\system32\HIKF.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DBM.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\windows\system\DBM.exe
        
        C:\windows\system\DBM.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWXID.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\windows\SysWOW64\RWXID.exe
        
        C:\windows\system32\RWXID.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DMQAQO.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\windows\system\DMQAQO.exe
        
        C:\windows\system\DMQAQO.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WPU.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\windows\SysWOW64\WPU.exe
        
        C:\windows\system32\WPU.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZXDB.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\windows\system\ZXDB.exe
        
        C:\windows\system\ZXDB.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZATPR.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\windows\ZATPR.exe
        
        C:\windows\ZATPR.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWNB.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\windows\SysWOW64\WWNB.exe
        
        C:\windows\system32\WWNB.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOIRGPL.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\windows\system\KOIRGPL.exe
        
        C:\windows\system\KOIRGPL.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NCMMUQM.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\windows\NCMMUQM.exe
        
        C:\windows\NCMMUQM.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MRZQ.exe.bat" "
        24⤵
        
        PID:3244
        
        C:\windows\SysWOW64\MRZQ.exe
        
        C:\windows\system32\MRZQ.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DYWUB.exe.bat" "
        26⤵
        
        PID:5008
        
        C:\windows\system\DYWUB.exe
        
        C:\windows\system\DYWUB.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BJFQF.exe.bat" "
        28⤵
        
        PID:1884
        
        C:\windows\SysWOW64\BJFQF.exe
        
        C:\windows\system32\BJFQF.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QXDDOI.exe.bat" "
        30⤵
        
        PID:2784
        
        C:\windows\SysWOW64\QXDDOI.exe
        
        C:\windows\system32\QXDDOI.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 844
        32⤵
        Program crash
        
        PID:1356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1328
        30⤵
        Program crash
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1296
        28⤵
        Program crash
        
        PID:2688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1316
        26⤵
        Program crash
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1328
        24⤵
        Program crash
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1324
        22⤵
        Program crash
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 1336
        20⤵
        Program crash
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1240
        18⤵
        Program crash
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 960
        16⤵
        Program crash
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1008
        14⤵
        Program crash
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1304
        12⤵
        Program crash
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1304
        10⤵
        Program crash
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1328
        8⤵
        Program crash
        
        PID:4552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1336
        6⤵
        Program crash
        
        PID:1140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1296
      4⤵
      Program crash
      PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 984
  2⤵
  - Program crash
  PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1900 -ip 1900
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1704 -ip 1704
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1168 -ip 1168
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1748 -ip 1748
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4748 -ip 4748
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5088 -ip 5088
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4316 -ip 4316
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3708 -ip 3708
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3804 -ip 3804
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3548 -ip 3548
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3856 -ip 3856
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1824 -ip 1824
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2004 -ip 2004
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1776 -ip 1776
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4528 -ip 4528
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4092 -ip 4092
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\NCMMUQM.exe

Filesize
208KB

MD5
e1db3ff90545c24b3ec4cfe74ba52c67

SHA1
97164d92626c8ac0f9774c5b94000fe421a88bb1

SHA256
f0e0b43e33ca525c919fdb7a7aa342bdcf50ce4ecb1f41a39089308566378ed7

SHA512
302472014d44f0be27fa9b060b3cbbfe6597f6a5d0e981f32ef355165dfb81c9220c7fd9559949c9c7637858777139a75852ff99a7b7b439447e09075463b5a8

Download Submit
C:\Windows\SysWOW64\BJFQF.exe

Filesize
208KB

MD5
f1eab39d1658fc85dded610c7f02d439

SHA1
08eb98f8aec800884116cdbb19e7d5c445726741

SHA256
c4eb8a7a6746177a1ca7103fe92085180962a0734e260a1933c9cbbb231ac9aa

SHA512
f1b6e6f4a505fc502a31f7647ff7f42fb7480c97c9a89779d5951953e677e1b5e1a52dd83265218eff5ad08cbdc803b178cd2f523dd19018b5267ebb1f196570

Download Submit
C:\Windows\SysWOW64\HIKF.exe

Filesize
208KB

MD5
5b151583f8f0fbb98fafb1565a69967e

SHA1
7f9e22eb1c0943a1bce1d8285ed4e6c5b4226c0b

SHA256
fe5674f7d12b1acb9d5f2811c5c036a960a7cd62a326b4cdb09c8aa3e0ae2f6c

SHA512
1e197292f2684cf4d7d75758add1619329398d6132fbab570edfe7ebf28615b7ce55d7025665f5096e81b7babe68a8915e40fe69db913adc748e73ca6d062935

Download Submit
C:\Windows\SysWOW64\HIKF.exe

Filesize
208KB

MD5
a3186a8486137ce8337440d20fab41b3

SHA1
d5e32d4171a66921958fd9559d44adac8cda8f92

SHA256
a48a94bf60958f03fc9ccd127ec71cb8bf279562410030d49a0f1e1ffa337bef

SHA512
38e3ccbf1d1e9b5e1733a4b43d991ccf168b2720b9e681ed02986a35e849e5e7cb681229bb7de8998500cfe2188b2a6dc6a164dc5824bd26105838ad31c7fa11

Download Submit
C:\Windows\SysWOW64\MRZQ.exe

Filesize
208KB

MD5
b92611a97a308b9fb1fe7e5348907bda

SHA1
a67b3e4d7653ce05553e2dc6321dc51fd1f21175

SHA256
10800e19c71e6ec0d1c2cddc3d176e54104c12900313db8fa6980c81078bb222

SHA512
1f27333b93edfd09c47e441c3ec4b495ee841bc770490281586f0945408f39d85b449e4582779d915bf31751819d9485f98e764ac689094bdf103b5610f9617c

Download Submit
C:\Windows\SysWOW64\QXDDOI.exe

Filesize
208KB

MD5
9ebef64c33406afc65d2beea3c9f076e

SHA1
826193468ab0372cf6a1f0438dca42f3c8abf6c1

SHA256
a094ea250ae9b8028bff2fc563d28dd1e03f225a5670e36f5a7a75c97265bd23

SHA512
b562e8ee441d2a1d94848e2f1956666be31346d246b853d62e287c5b63ea20871fc10a4a916332d832703ba62a973e00ffe2d71164a96283d3b26d7d27ecf97a

Download Submit
C:\Windows\SysWOW64\RWXID.exe

Filesize
208KB

MD5
7a7ee51dd29891f70c320b72d34b1d37

SHA1
ac716b98af6892bbc048b05126f3be123be6bd91

SHA256
902974f1e81dd3b933c2e123bebeea5e0559e69af4405700ca0805d3ec910f89

SHA512
48b22ab16cb7d2a2e2c7f5a385d5fe75be81f0638414d5b88041bc8e0a5adba33b1322384169b7445094c0154095f339bfd2b85d7ed98f151e503a3efb4f348f

Download Submit
C:\Windows\SysWOW64\WPU.exe

Filesize
208KB

MD5
8dca795d408791d3b42212aacf09f218

SHA1
47789d1ea4003b774957a9ba702553ca30284634

SHA256
c09193e7b5d63c83a79162c84440b7e94fb2f4b1d86c2ef4642082c4900da0be

SHA512
c03db396835787196b1adb06803a8e5c65ff8167b1216120d3a0e70059616f74b2be1bca6bc52f8e0b5d678915bd7cb83b6200b4e72a4a7bff23f00a73ec633a

Download Submit
C:\Windows\SysWOW64\WWNB.exe

Filesize
208KB

MD5
a913e9f523a05502e3859e102702b8be

SHA1
30cfaa8ec641771cad03f3ad9cec255cbdfeb3c1

SHA256
118485a4f104f1ec9443fbe46b91e9b2cd53ec89aba5c9b7fd9a367a0a8e0905

SHA512
54603f8ff52b4a415175e9904812d83c1815cc71c8758c07d3877c281d91ce015faf3c75083dfa78bdab18cfd153bdbc41da657449e1824947e3f7317767e7cc

Download Submit
C:\Windows\System\DBM.exe

Filesize
208KB

MD5
eef037b266e992a862619989067f6000

SHA1
dd36c98618b67ef267b8c65d9c5b48db41c42843

SHA256
4d16378611ef0559fd64863628a20fc85738234de069d21e77fec3e6aacbb5f8

SHA512
67e0367f4d802b0ce83d49498561859ec185a6f6617b459042f35476ad0060050584d8995e9e48f303d54b79b76d294f16154d6233300af794baa7ee2ab43176

Download Submit
C:\Windows\System\DMQAQO.exe

Filesize
208KB

MD5
ae92e5211eed2281b10f2339f8911999

SHA1
4bc9d5730dca9861e6966f8232d0e962f95dda37

SHA256
f80b91b4007be9afaa8b19b539b9e1b7aef934ffdc1d35c7ccfa8e70782c7bfb

SHA512
a4396946dd81060444db6f79d958dc590adea77057a7bfb5697541d9a03ae3ff1aaf32bd82e188b83a1bfdfb5a486ada7ea0b460314a2ba497d1a828767fdd18

Download Submit
C:\Windows\System\DYWUB.exe

Filesize
208KB

MD5
a1274d73d635d12f34c5e4acadb21747

SHA1
ab1f693b0bd4bdcfb0f59b88e499bafbf42fcde7

SHA256
60f1c431f1c5f2ff36367aa8e2822f1234a205093de1b1a7eaf4a78ecc9bc244

SHA512
ca04b47d40f7f1f38293b42157c36f430fcc485a959d54350a2089cd08d363345962f15c5735e1c210bf4bf0888b89efabf10f5ceb5227dab971765c96c834f7

Download Submit
C:\Windows\System\IFYVP.exe

Filesize
208KB

MD5
3af406d027f0762f508bedf0fbf0aa02

SHA1
199d11e2594105a29136c0ce65fb3c3134d43205

SHA256
94f72b9b2d3d76cf49e9184a8afe5c5e13085dc6c64e4d3ff0c2094a22a0c360

SHA512
7c6c97af33f38a3a293e812f0d21c28127c6ab4c5b67f166e6810a708076350dbb24238e22fb4ade4af9eaf1cab7e3fa4e5ca27f4777e2a8d1f9f3a71f731552

Download Submit
C:\Windows\System\KOIRGPL.exe

Filesize
208KB

MD5
09fa1c5c2a28b07a6dbaffd14a0bf25d

SHA1
bdb003db6acc839a43bbe468f798736b406534fd

SHA256
1f3c7ef70dfbb2409d6afece86658fe233d8ec36e85141079142c8b3551002ed

SHA512
952b56fe441c1f65f73823a0b542f13748d2cf2d743795484cc09dc714858d0549de97c2f0f9017f713e0c5675ddf0f83703bb3ab15666688b45e386656b9608

Download Submit
C:\Windows\System\ZXDB.exe

Filesize
208KB

MD5
b8cb78eab0b14081420ed7fe1f84ed18

SHA1
a0a3b90368010f9e97f5d28eb90c86b8e7c6e19f

SHA256
1d44156802396de2e5095dddcb3188c761870d7db1a59936f15bc28bfebd263f

SHA512
698baa644351fe6c9a0ca847dafe1032253894f9610cfa19fc595c8db6e86923f3ff3557e5731d94369d52dc2e49c92ce51f4e1cd0581c4fc8a6814cc90fc955

Download Submit
C:\Windows\ZATPR.exe

Filesize
208KB

MD5
730a1b08fdecb138789b84af8f886db3

SHA1
4ea9f7a2d96fe3388b781c7fb1ed7f1b2f993c1f

SHA256
22724f648fe3233b2062047ace7a99a9652590a497483c22bf3b8ef781c1b7c9

SHA512
82ac0bf58c3bd1f948f71026959fc80e0093bd41de28c8bbad2a0187dfec604abce9b58c90a3705010e64f60b0aba3c59e7b0c1850979a042419b7518401a121

Download Submit
C:\windows\NCMMUQM.exe

Filesize
208KB

MD5
e1db3ff90545c24b3ec4cfe74ba52c67

SHA1
97164d92626c8ac0f9774c5b94000fe421a88bb1

SHA256
f0e0b43e33ca525c919fdb7a7aa342bdcf50ce4ecb1f41a39089308566378ed7

SHA512
302472014d44f0be27fa9b060b3cbbfe6597f6a5d0e981f32ef355165dfb81c9220c7fd9559949c9c7637858777139a75852ff99a7b7b439447e09075463b5a8

Download Submit
C:\windows\NCMMUQM.exe.bat

Filesize
60B

MD5
121217563afcf380567a4642158d6b11

SHA1
9eaff31975e986714b7de51822d8867f42d1ad49

SHA256
9bfb9a947e2896ebeba6cbfb98a45c29afc5adef9b44219d34a0fdd7bbddcbe6

SHA512
aac3a2f1cb14c42f49c86f095f2df18a33e3aab2fac7e5800eb734de91adf00ca223d78016931a6094db2c7aae09a20cbfb9f0d44ec7c7c493d445a0dff08eef

Download Submit
C:\windows\SysWOW64\BJFQF.exe

Filesize
208KB

MD5
f1eab39d1658fc85dded610c7f02d439

SHA1
08eb98f8aec800884116cdbb19e7d5c445726741

SHA256
c4eb8a7a6746177a1ca7103fe92085180962a0734e260a1933c9cbbb231ac9aa

SHA512
f1b6e6f4a505fc502a31f7647ff7f42fb7480c97c9a89779d5951953e677e1b5e1a52dd83265218eff5ad08cbdc803b178cd2f523dd19018b5267ebb1f196570

Download Submit
C:\windows\SysWOW64\BJFQF.exe.bat

Filesize
74B

MD5
e1d8e73008ee5846f58b46df6df28e53

SHA1
87bab25762e3838d237b89b81425ad433aff501f

SHA256
866171339df1efdbc4224199725dbb8601992c0995044b3efecc9fc7d2774617

SHA512
0e479209929b00c6d988ed89c9dc57efd4e8de148ddfcd0a65dd6b8486cdf5039a09ef3d7b4ea019f5e010dbff4b3e24c28a9ac004389ca948efd08bc5f7ebfd

Download Submit
C:\windows\SysWOW64\HIKF.exe

Filesize
208KB

MD5
a3186a8486137ce8337440d20fab41b3

SHA1
d5e32d4171a66921958fd9559d44adac8cda8f92

SHA256
a48a94bf60958f03fc9ccd127ec71cb8bf279562410030d49a0f1e1ffa337bef

SHA512
38e3ccbf1d1e9b5e1733a4b43d991ccf168b2720b9e681ed02986a35e849e5e7cb681229bb7de8998500cfe2188b2a6dc6a164dc5824bd26105838ad31c7fa11

Download Submit
C:\windows\SysWOW64\HIKF.exe.bat

Filesize
72B

MD5
e4a45b39d43c5ff10383af3151e0b70c

SHA1
badbf104bb2c799f82860c31c36a17ad7b035f0c

SHA256
1c9b9003ec1a74f40f26bab57692623a3888a7c0a120a8c78f08dc15367a890b

SHA512
ef641fc73e9e4291c71e1e1e82eb51b3abd1a8d4493abcd0a702a5b0d5e7993b9fbc18f484e5305e5f124d1964a9eaee4d6b8ef31a144292049af7d2f505d952

Download Submit
C:\windows\SysWOW64\MRZQ.exe

Filesize
208KB

MD5
b92611a97a308b9fb1fe7e5348907bda

SHA1
a67b3e4d7653ce05553e2dc6321dc51fd1f21175

SHA256
10800e19c71e6ec0d1c2cddc3d176e54104c12900313db8fa6980c81078bb222

SHA512
1f27333b93edfd09c47e441c3ec4b495ee841bc770490281586f0945408f39d85b449e4582779d915bf31751819d9485f98e764ac689094bdf103b5610f9617c

Download Submit
C:\windows\SysWOW64\MRZQ.exe.bat

Filesize
72B

MD5
b384b1bbca90b41b1b67ee7f0ddf6454

SHA1
4ac768e62f1fcdd6929e32aa0e648d2cb1ee9019

SHA256
4360d3d0c6515e2fe4f6bff06a8740bbcd776191f7e87b41e78b0184dd1abfc8

SHA512
d28ece167f307d28a650c77721260e2761a7b149fa669d6c0b4a282337f067bf24c4561d3eaf92edcda41d04b4c57be92a3617629ff62a643c710a6fda22d964

Download Submit
C:\windows\SysWOW64\QXDDOI.exe

Filesize
208KB

MD5
9ebef64c33406afc65d2beea3c9f076e

SHA1
826193468ab0372cf6a1f0438dca42f3c8abf6c1

SHA256
a094ea250ae9b8028bff2fc563d28dd1e03f225a5670e36f5a7a75c97265bd23

SHA512
b562e8ee441d2a1d94848e2f1956666be31346d246b853d62e287c5b63ea20871fc10a4a916332d832703ba62a973e00ffe2d71164a96283d3b26d7d27ecf97a

Download Submit
C:\windows\SysWOW64\QXDDOI.exe.bat

Filesize
76B

MD5
c1125a68e1c4b001e3a7bffd16e34b24

SHA1
6a13abeef3366ee5c468fd6bef475de128e16e2c

SHA256
42d774202c0e9bc5e0a7564ce619d90720072f8bf2963154b491198e9ce59bca

SHA512
2b9ea0fcf68884e1512cf76fd66f4f95d8adc0ec21d55a770b3a9a59c4f12fb73a930210d978ace20d3f8f7096be547b676196226b6878f3127c0a9a466cdbc8

Download Submit
C:\windows\SysWOW64\RWXID.exe

Filesize
208KB

MD5
7a7ee51dd29891f70c320b72d34b1d37

SHA1
ac716b98af6892bbc048b05126f3be123be6bd91

SHA256
902974f1e81dd3b933c2e123bebeea5e0559e69af4405700ca0805d3ec910f89

SHA512
48b22ab16cb7d2a2e2c7f5a385d5fe75be81f0638414d5b88041bc8e0a5adba33b1322384169b7445094c0154095f339bfd2b85d7ed98f151e503a3efb4f348f

Download Submit
C:\windows\SysWOW64\RWXID.exe.bat

Filesize
74B

MD5
04fad82d2195f33d0299725efb691c6e

SHA1
a6ea288701327349d422b3ad9eec5cc9b0daab13

SHA256
1a83bc5d5b63f3045f3d56399e45b618ebe2aeb5c9109e505b8f40eaa8a10a94

SHA512
50ab1f0d76db7630863a5c7c4fd53a599a0781e23cee1f800aed2e445c92e2311a1e4e23a56704c2940bb3dbb9716b39d2010c8b7061da69272c8ea16e0b4dfd

Download Submit
C:\windows\SysWOW64\WPU.exe

Filesize
208KB

MD5
8dca795d408791d3b42212aacf09f218

SHA1
47789d1ea4003b774957a9ba702553ca30284634

SHA256
c09193e7b5d63c83a79162c84440b7e94fb2f4b1d86c2ef4642082c4900da0be

SHA512
c03db396835787196b1adb06803a8e5c65ff8167b1216120d3a0e70059616f74b2be1bca6bc52f8e0b5d678915bd7cb83b6200b4e72a4a7bff23f00a73ec633a

Download Submit
C:\windows\SysWOW64\WPU.exe.bat

Filesize
70B

MD5
8b4d99df9f3da04cdd11ebb577a515f7

SHA1
26cc02456bcb1bc84dc7308f4d05f81e1e525e30

SHA256
caa529244ad86af2c1b07bedc3acd75be18b5f42f164eb3ba3da16db159b6031

SHA512
6e22665ec08447d4b9899f891d4d384c8914eb4368e0cd71c3516e18bfff11ecbcf543f66bdc4011562be9e892a97c59fdd3042807f1f8a7f80da565b63a5653

Download Submit
C:\windows\SysWOW64\WWNB.exe

Filesize
208KB

MD5
a913e9f523a05502e3859e102702b8be

SHA1
30cfaa8ec641771cad03f3ad9cec255cbdfeb3c1

SHA256
118485a4f104f1ec9443fbe46b91e9b2cd53ec89aba5c9b7fd9a367a0a8e0905

SHA512
54603f8ff52b4a415175e9904812d83c1815cc71c8758c07d3877c281d91ce015faf3c75083dfa78bdab18cfd153bdbc41da657449e1824947e3f7317767e7cc

Download Submit
C:\windows\SysWOW64\WWNB.exe.bat

Filesize
72B

MD5
ef1e62b008dda9d83c1d4585d97c1dd6

SHA1
8d255df23cc4a360a982b59aea20b4211b865f3f

SHA256
d5a9bfe719704229de3d3100c4fcaad03dbf35e8b6ddeb917abb39e82710953f

SHA512
5bc0b909f5402abcaaa2b33720cdd711e2bd83bf4c5e97cdc40619d85f374d67c0ec75bbc0e14b57d6e91ffac94243ef8756a83d93710e179fb25bf55c3b29ce

Download Submit
C:\windows\ZATPR.exe

Filesize
208KB

MD5
730a1b08fdecb138789b84af8f886db3

SHA1
4ea9f7a2d96fe3388b781c7fb1ed7f1b2f993c1f

SHA256
22724f648fe3233b2062047ace7a99a9652590a497483c22bf3b8ef781c1b7c9

SHA512
82ac0bf58c3bd1f948f71026959fc80e0093bd41de28c8bbad2a0187dfec604abce9b58c90a3705010e64f60b0aba3c59e7b0c1850979a042419b7518401a121

Download Submit
C:\windows\ZATPR.exe.bat

Filesize
56B

MD5
05f88473bfb4d1398ded76f05f931d08

SHA1
e57b1ec929d42b484f9a455ec0e2f9eddce79b6f

SHA256
47a160081f5e6c974e6e6abc83af0c67eaf70f00e4f768fdf2d80b37c7331d8d

SHA512
89539d3d8caabbcd4dc952a499bb1d9e15b69510d942dcfcd15e02f6f4c815e13aa44500ff9a49413cf05685c739bf3c54f93da3e5746e9afca926ca1465b420

Download Submit
C:\windows\system\DBM.exe

Filesize
208KB

MD5
eef037b266e992a862619989067f6000

SHA1
dd36c98618b67ef267b8c65d9c5b48db41c42843

SHA256
4d16378611ef0559fd64863628a20fc85738234de069d21e77fec3e6aacbb5f8

SHA512
67e0367f4d802b0ce83d49498561859ec185a6f6617b459042f35476ad0060050584d8995e9e48f303d54b79b76d294f16154d6233300af794baa7ee2ab43176

Download Submit
C:\windows\system\DBM.exe.bat

Filesize
66B

MD5
e133c701a81f9406a87e104ed77f2e9f

SHA1
c43ac6ac23d65a8c3e5138f0b781f4e4d937e4bd

SHA256
8f9bd5a81be35f704a99778295c39da65d0ac9a82e6325d1e9b1aba1c8c2dcb4

SHA512
ee34af313a19df113a2920e15da357bc6e8200f9f4c1ac57ae1110ee07e8a9f1674c2c7fc02638b66366825a15b6d494409e1dc88e214e454150728c290245c3

Download Submit
C:\windows\system\DMQAQO.exe

Filesize
208KB

MD5
ae92e5211eed2281b10f2339f8911999

SHA1
4bc9d5730dca9861e6966f8232d0e962f95dda37

SHA256
f80b91b4007be9afaa8b19b539b9e1b7aef934ffdc1d35c7ccfa8e70782c7bfb

SHA512
a4396946dd81060444db6f79d958dc590adea77057a7bfb5697541d9a03ae3ff1aaf32bd82e188b83a1bfdfb5a486ada7ea0b460314a2ba497d1a828767fdd18

Download Submit
C:\windows\system\DMQAQO.exe.bat

Filesize
72B

MD5
a22d164fd671c30b59af4fb37811c666

SHA1
1cb7910bc27750bb9e0a2221f3f168ed252c53b3

SHA256
13de6babb0054ed67be23aedc2840245a5151d43e8992707f3d913baae54eb49

SHA512
c7e780427f026067b026b6d4356baffded016600f29747e1c682970f84ccfc4dce061ebcd29c1152a7d11097aa0e3ba93bbe86771503b44bd1b2c733983792dc

Download Submit
C:\windows\system\DYWUB.exe

Filesize
208KB

MD5
a1274d73d635d12f34c5e4acadb21747

SHA1
ab1f693b0bd4bdcfb0f59b88e499bafbf42fcde7

SHA256
60f1c431f1c5f2ff36367aa8e2822f1234a205093de1b1a7eaf4a78ecc9bc244

SHA512
ca04b47d40f7f1f38293b42157c36f430fcc485a959d54350a2089cd08d363345962f15c5735e1c210bf4bf0888b89efabf10f5ceb5227dab971765c96c834f7

Download Submit
C:\windows\system\DYWUB.exe.bat

Filesize
70B

MD5
cfcba5ebb8678b94b37e8741485ca961

SHA1
89481e8d594cfc4735cb520edca5607ed2868b25

SHA256
1ac74b0d4393a601734d78c2566827ea9022fb696283c2dcb18c5a6dd7dcfe87

SHA512
d796914c490ffef42e175af2204394836aaf61ca9fb806100e534b636a4904da9e146272f36ba76f2c8bbd2f90629250e46e0b426dd3bd61c3339de3e9122fa7

Download Submit
C:\windows\system\IFYVP.exe

Filesize
208KB

MD5
3af406d027f0762f508bedf0fbf0aa02

SHA1
199d11e2594105a29136c0ce65fb3c3134d43205

SHA256
94f72b9b2d3d76cf49e9184a8afe5c5e13085dc6c64e4d3ff0c2094a22a0c360

SHA512
7c6c97af33f38a3a293e812f0d21c28127c6ab4c5b67f166e6810a708076350dbb24238e22fb4ade4af9eaf1cab7e3fa4e5ca27f4777e2a8d1f9f3a71f731552

Download Submit
C:\windows\system\IFYVP.exe.bat

Filesize
70B

MD5
4091b8c4f39934ed78c0f04bdc8793db

SHA1
1bd9a88403bc750b84d33f2d763b82534ff302da

SHA256
04aef0acb3b0b5693369b6d2b7c5e3359d2de28758349f7073c3c9ecd46f9cf8

SHA512
53038f87dd24a4786def014fb9265c250f394e1941a8a1453ca94aca5f91f2d7677de885898720e82f0102cb9c1872481828b4b15bcbc0bf7b8a4aadf9f6f30f

Download Submit
C:\windows\system\KOIRGPL.exe

Filesize
208KB

MD5
09fa1c5c2a28b07a6dbaffd14a0bf25d

SHA1
bdb003db6acc839a43bbe468f798736b406534fd

SHA256
1f3c7ef70dfbb2409d6afece86658fe233d8ec36e85141079142c8b3551002ed

SHA512
952b56fe441c1f65f73823a0b542f13748d2cf2d743795484cc09dc714858d0549de97c2f0f9017f713e0c5675ddf0f83703bb3ab15666688b45e386656b9608

Download Submit
C:\windows\system\KOIRGPL.exe.bat

Filesize
74B

MD5
1d5bd54a78021fca752caca225c864af

SHA1
a7c63429d53b25e990a68fff94fd9a8e6f343394

SHA256
65d7011433e2c219b4b7425c342e1b5f47c5bb9c4a4b64e75063d5ce1b0a3b5b

SHA512
c02eb964ef94def045d065c47ea62f8c8511e5f907226e72a870e12c41ded735c3f2bc59920646d52ab390a59ae9406d92bf454ac074bb0a3310f59c419cb2d3

Download Submit
C:\windows\system\ZXDB.exe

Filesize
208KB

MD5
b8cb78eab0b14081420ed7fe1f84ed18

SHA1
a0a3b90368010f9e97f5d28eb90c86b8e7c6e19f

SHA256
1d44156802396de2e5095dddcb3188c761870d7db1a59936f15bc28bfebd263f

SHA512
698baa644351fe6c9a0ca847dafe1032253894f9610cfa19fc595c8db6e86923f3ff3557e5731d94369d52dc2e49c92ce51f4e1cd0581c4fc8a6814cc90fc955

Download Submit
C:\windows\system\ZXDB.exe.bat

Filesize
68B

MD5
aeb5964c05fac3d30938ae1dd7dae1e6

SHA1
88dca3715f180afaff8d2b96d422dfcfef9240c0

SHA256
157749894204cfa5eeea03764f7c2e9676eda256c10412bfe40c789f4ce58f7c

SHA512
c8ecd64c21fd5e5b31960263077092bdfb44a0b326d2b608029eb84fab2a4927d4910ddf22877490966f0e62a996b2b0859c5ffe964fd0affbc8a5db2e9541d6

Download Submit
memory/1168-40-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1704-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1704-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1748-52-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1748-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1776-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1776-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1824-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1824-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3548-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3548-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3708-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3708-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3804-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3804-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3856-117-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3856-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4092-176-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4092-181-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-105-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-165-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4748-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4748-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download